chore: Add claude-hud plugin configuration and marketplace setup#1041
Conversation
Adds the claude-hud plugin (v0.0.11) at project scope via claudepluginhub. Provides real-time statusline HUD showing context health, tool activity, agent tracking, and todo progress. https://claude.ai/code/session_01Qe1PoFhrpk2mUKwNFMG998
📝 WalkthroughWalkthroughThree configuration files are added to establish Claude plugin infrastructure for the Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Greptile SummaryThis PR adds ClaudePluginHub CLI-generated configuration files to register and enable the Key issues:
Confidence Score: 4/5Not safe to merge as-is — hardcoded machine paths will break the plugin for all contributors, and project-level plugin opt-in raises a security concern. Two P1 findings remain: machine-specific absolute paths baked into committed config files, and a project-level settings file that silently enables a third-party GitHub plugin for every contributor. Both should be resolved before merging.
Important Files Changed
Reviews (1): Last reviewed commit: "feat: install claude-hud plugin (jarrodw..." | Re-trigger Greptile |
| "cpd-jarrodwatts-claude-hud-project": { | ||
| "source": { | ||
| "source": "directory", | ||
| "path": "/home/user/everything-claude-code/.claude/.cpd-wrappers/jarrodwatts-claude-hud-project" |
There was a problem hiding this comment.
The path "/home/user/everything-claude-code/.claude/.cpd-wrappers/..." is the author's local machine path. This settings.json is committed as a project-level Claude Code settings file, meaning it applies to every contributor who clones the repo. Anyone who has the project checked out at a different location (which is virtually everyone) will have a broken plugin configuration since the directory path won't resolve.
The cpd-meta.json file has the same issue at "cwd": "/home/user/everything-claude-code" (line 6).
These files appear to have been auto-generated by the ClaudePluginHub CLI and contain machine-specific state that shouldn't be committed to a shared repository. Consider either:
- Excluding these generated wrapper files via
.gitignore - Using a relative path if the tool supports it
- Providing a setup script/instruction so each developer runs the CLI themselves
| "pluginName": "claude-hud", | ||
| "marketplaceName": "cpd-jarrodwatts-claude-hud-project", | ||
| "scope": "project", | ||
| "cwd": "/home/user/everything-claude-code" |
There was a problem hiding this comment.
cwd path hardcoded
"cwd": "/home/user/everything-claude-code" is the author's local working directory baked into a committed config file. If the plugin runtime uses this field to resolve plugin resources, it will silently fail for all other contributors whose checkout is in a different directory.
This field is likely generated by the ClaudePluginHub CLI and is not intended to be shared in version control.
| { | ||
| "extraKnownMarketplaces": { | ||
| "cpd-jarrodwatts-claude-hud-project": { | ||
| "source": { | ||
| "source": "directory", | ||
| "path": "/home/user/everything-claude-code/.claude/.cpd-wrappers/jarrodwatts-claude-hud-project" | ||
| } | ||
| } | ||
| }, | ||
| "enabledPlugins": { | ||
| "claude-hud@cpd-jarrodwatts-claude-hud-project": true | ||
| } | ||
| } |
There was a problem hiding this comment.
.claude/settings.json is the project-level Claude Code settings file. By committing it with "enabledPlugins": { "claude-hud@cpd-jarrodwatts-claude-hud-project": true }, this PR automatically enables a third-party plugin sourced from jarrodwatts/claude-hud on GitHub for every developer who opens this repository — without their explicit consent.
Plugin code fetched from an external GitHub repo runs within Claude Code's execution context and can issue arbitrary shell commands, modify files, or make network requests. Committing a shared settings file that opts-in all contributors to a third-party plugin is a significant security concern that should at minimum be prominently documented and opt-in per-developer (e.g., in user-level settings, not project-level settings).
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 58249380cb
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "cpd-jarrodwatts-claude-hud-project": { | ||
| "source": { | ||
| "source": "directory", | ||
| "path": "/home/user/everything-claude-code/.claude/.cpd-wrappers/jarrodwatts-claude-hud-project" |
There was a problem hiding this comment.
Replace user-specific marketplace path with portable source
The configured marketplace source uses a hard-coded absolute path under one developer’s home directory, so plugin resolution fails whenever the repo is checked out elsewhere (CI, other contributors, containers, or different home paths). In those environments, claude-hud@cpd-jarrodwatts-claude-hud-project cannot be loaded because the directory source does not exist. Use a portable reference (for example a repo source) or a path derived from the current project root.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
Adds project-scoped Claude configuration to register a local plugin marketplace wrapper and enable the external claude-hud plugin within this repository’s Claude environment.
Changes:
- Added
.claude/settings.jsonto register an extra marketplace and enableclaude-hud. - Added CPD wrapper metadata for
jarrodwatts/claude-hud. - Added a wrapper-scoped marketplace definition pointing to the GitHub repo.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
.claude/settings.json |
Registers a directory-based marketplace wrapper and enables the plugin. |
.claude/.cpd-wrappers/jarrodwatts-claude-hud-project/cpd-meta.json |
Defines wrapper metadata (repo/name/scope/cwd). |
.claude/.cpd-wrappers/jarrodwatts-claude-hud-project/.claude-plugin/marketplace.json |
Declares the wrapper marketplace and points the plugin source at GitHub. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "cpd-jarrodwatts-claude-hud-project": { | ||
| "source": { | ||
| "source": "directory", | ||
| "path": "/home/user/everything-claude-code/.claude/.cpd-wrappers/jarrodwatts-claude-hud-project" |
There was a problem hiding this comment.
The marketplace path is hard-coded to a local absolute directory (/home/user/...). This makes the config non-portable for other contributors and also leaks a local filesystem path. Prefer a repo-relative path (e.g., relative to the project root) or a supported variable (if Claude supports it) so the plugin works on any machine.
| "path": "/home/user/everything-claude-code/.claude/.cpd-wrappers/jarrodwatts-claude-hud-project" | |
| "path": ".claude/.cpd-wrappers/jarrodwatts-claude-hud-project" |
| } | ||
| }, | ||
| "enabledPlugins": { | ||
| "claude-hud@cpd-jarrodwatts-claude-hud-project": true |
There was a problem hiding this comment.
This enables a third-party plugin by default for anyone using project-level Claude settings. If that’s not an intentional policy for this repo, consider leaving it disabled by default (or moving this guidance to docs) so contributors opt in explicitly.
| "claude-hud@cpd-jarrodwatts-claude-hud-project": true | |
| "claude-hud@cpd-jarrodwatts-claude-hud-project": false |
| "pluginName": "claude-hud", | ||
| "marketplaceName": "cpd-jarrodwatts-claude-hud-project", | ||
| "scope": "project", | ||
| "cwd": "/home/user/everything-claude-code" |
There was a problem hiding this comment.
The cwd field is set to an absolute local path (/home/user/...). This will not be valid on other machines and may leak local environment details. Use a relative path (e.g., ".") or remove cwd if it’s optional so the wrapper is portable.
| "cwd": "/home/user/everything-claude-code" | |
| "cwd": "." |
| { | ||
| "name": "cpd-jarrodwatts-claude-hud-project", | ||
| "owner": { |
There was a problem hiding this comment.
PR description says the marketplace definition was created at .claude/.cpd-wrappers/jarrodwatts-claude-hud-project/marketplace.json, but the actual file path added is under .claude-plugin/marketplace.json. Please update the PR description (or file location) so it accurately reflects what was added.
There was a problem hiding this comment.
4 issues found across 3 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".claude/.cpd-wrappers/jarrodwatts-claude-hud-project/.claude-plugin/marketplace.json">
<violation number="1" location=".claude/.cpd-wrappers/jarrodwatts-claude-hud-project/.claude-plugin/marketplace.json:11">
P1: Marketplace configuration introduces a mutable external GitHub plugin source, creating supply-chain and reproducibility risk.</violation>
</file>
<file name=".claude/.cpd-wrappers/jarrodwatts-claude-hud-project/cpd-meta.json">
<violation number="1" location=".claude/.cpd-wrappers/jarrodwatts-claude-hud-project/cpd-meta.json:6">
P1: Project config hardcodes a developer-specific absolute `cwd`, making plugin setup non-portable across machines and CI.</violation>
</file>
<file name=".claude/settings.json">
<violation number="1" location=".claude/settings.json:6">
P2: Committed plugin marketplace config uses a machine-specific absolute path, making plugin loading non-portable across developers and CI.</violation>
<violation number="2" location=".claude/settings.json:11">
P2: Project settings auto-enable a third-party plugin from a directory/GitHub-backed wrapper without visible integrity pinning or explicit opt-in, creating a supply-chain trust risk.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
| "name": "claude-hud", | ||
| "source": { | ||
| "source": "github", | ||
| "repo": "jarrodwatts/claude-hud" |
There was a problem hiding this comment.
P1: Marketplace configuration introduces a mutable external GitHub plugin source, creating supply-chain and reproducibility risk.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .claude/.cpd-wrappers/jarrodwatts-claude-hud-project/.claude-plugin/marketplace.json, line 11:
<comment>Marketplace configuration introduces a mutable external GitHub plugin source, creating supply-chain and reproducibility risk.</comment>
<file context>
@@ -0,0 +1,16 @@
+ "name": "claude-hud",
+ "source": {
+ "source": "github",
+ "repo": "jarrodwatts/claude-hud"
+ },
+ "strict": false
</file context>
| "pluginName": "claude-hud", | ||
| "marketplaceName": "cpd-jarrodwatts-claude-hud-project", | ||
| "scope": "project", | ||
| "cwd": "/home/user/everything-claude-code" |
There was a problem hiding this comment.
P1: Project config hardcodes a developer-specific absolute cwd, making plugin setup non-portable across machines and CI.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .claude/.cpd-wrappers/jarrodwatts-claude-hud-project/cpd-meta.json, line 6:
<comment>Project config hardcodes a developer-specific absolute `cwd`, making plugin setup non-portable across machines and CI.</comment>
<file context>
@@ -0,0 +1,7 @@
+ "pluginName": "claude-hud",
+ "marketplaceName": "cpd-jarrodwatts-claude-hud-project",
+ "scope": "project",
+ "cwd": "/home/user/everything-claude-code"
+}
</file context>
| } | ||
| }, | ||
| "enabledPlugins": { | ||
| "claude-hud@cpd-jarrodwatts-claude-hud-project": true |
There was a problem hiding this comment.
P2: Project settings auto-enable a third-party plugin from a directory/GitHub-backed wrapper without visible integrity pinning or explicit opt-in, creating a supply-chain trust risk.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .claude/settings.json, line 11:
<comment>Project settings auto-enable a third-party plugin from a directory/GitHub-backed wrapper without visible integrity pinning or explicit opt-in, creating a supply-chain trust risk.</comment>
<file context>
@@ -0,0 +1,13 @@
+ }
+ },
+ "enabledPlugins": {
+ "claude-hud@cpd-jarrodwatts-claude-hud-project": true
+ }
+}
</file context>
| "cpd-jarrodwatts-claude-hud-project": { | ||
| "source": { | ||
| "source": "directory", | ||
| "path": "/home/user/everything-claude-code/.claude/.cpd-wrappers/jarrodwatts-claude-hud-project" |
There was a problem hiding this comment.
P2: Committed plugin marketplace config uses a machine-specific absolute path, making plugin loading non-portable across developers and CI.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .claude/settings.json, line 6:
<comment>Committed plugin marketplace config uses a machine-specific absolute path, making plugin loading non-portable across developers and CI.</comment>
<file context>
@@ -0,0 +1,13 @@
+ "cpd-jarrodwatts-claude-hud-project": {
+ "source": {
+ "source": "directory",
+ "path": "/home/user/everything-claude-code/.claude/.cpd-wrappers/jarrodwatts-claude-hud-project"
+ }
+ }
</file context>
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In
@.claude/.cpd-wrappers/jarrodwatts-claude-hud-project/.claude-plugin/marketplace.json:
- Around line 8-12: The marketplace entry for the "claude-hud" plugin currently
omits a version pin; update the source object for "claude-hud" by adding a ref
(e.g., "v0.0.11") or a sha commit hash to the source object so installs are
pinned to the exact release instead of tracking the default branch; modify the
JSON for the "source" object that contains "source":"github" and
"repo":"jarrodwatts/claude-hud" to include the new "ref" (or "sha") field.
In @.claude/settings.json:
- Line 6: Change the hardcoded absolute path value for the JSON "path" key in
settings.json to a project-root relative path (prefix with ./) so it works
across dev/CI environments; specifically replace the absolute string value that
points to the marketplace wrapper (the current jarrodwatts-claude-hud-project
path) with a relative equivalent like
./.claude/.cpd-wrappers/jarrodwatts-claude-hud-project and commit the updated
settings.json.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: e6982f9c-6be3-446e-9c3d-7b5b998f3905
📒 Files selected for processing (3)
.claude/.cpd-wrappers/jarrodwatts-claude-hud-project/.claude-plugin/marketplace.json.claude/.cpd-wrappers/jarrodwatts-claude-hud-project/cpd-meta.json.claude/settings.json
| "name": "claude-hud", | ||
| "source": { | ||
| "source": "github", | ||
| "repo": "jarrodwatts/claude-hud" | ||
| }, |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
For Claude Plugin Hub marketplace.json, what field(s) pin a GitHub plugin to an exact tag or commit (for example v0.0.11) instead of tracking default branch?
💡 Result:
In the Claude Plugin Hub's marketplace.json file, for GitHub plugins (source type "github"), the fields that pin to an exact tag or commit instead of tracking the default branch are ref and sha within the source object. - ref (optional string): Specifies a Git branch or tag (e.g., "v0.0.11"). Defaults to the repository's default branch if omitted. Using ref tracks that branch/tag, which can move. - sha (optional string): Full 40-character Git commit SHA to pin to an exact immutable commit. This provides the strongest pinning. Example for pinning to tag v0.0.11: { "name": "my-plugin", "source": { "source": "github", "repo": "owner/plugin-repo", "ref": "v0.0.11" } } For exact commit pinning: { "source": { "source": "github", "repo": "owner/plugin-repo", "sha": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0" } } Both can be used together, but sha overrides for exact pinning. This applies similarly to "url" and "git-subdir" source types. Omitting both uses the repo's default branch (tracks latest).
Citations:
- 1: https://code.claude.com/docs/en/plugin-marketplaces
- 2: https://github.com/anthropics/claude-plugins-official/blob/main/.claude-plugin/marketplace.json
- 3: https://docs.claude.com/en/docs/claude-code/plugin-marketplaces
- 4: https://docs.anthropic.com/en/docs/claude-code/plugin-marketplaces
Pin the GitHub plugin source to the v0.0.11 tag.
Add the ref field to the source object to pin to the version specified in the PR. Without it, installs will track the default branch instead of v0.0.11:
Example fix
"name": "claude-hud",
"source": {
"source": "github",
"repo": "jarrodwatts/claude-hud",
"ref": "v0.0.11"
},Alternatively, use sha with a full commit hash for exact immutable pinning.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In
@.claude/.cpd-wrappers/jarrodwatts-claude-hud-project/.claude-plugin/marketplace.json
around lines 8 - 12, The marketplace entry for the "claude-hud" plugin currently
omits a version pin; update the source object for "claude-hud" by adding a ref
(e.g., "v0.0.11") or a sha commit hash to the source object so installs are
pinned to the exact release instead of tracking the default branch; modify the
JSON for the "source" object that contains "source":"github" and
"repo":"jarrodwatts/claude-hud" to include the new "ref" (or "sha") field.
| "cpd-jarrodwatts-claude-hud-project": { | ||
| "source": { | ||
| "source": "directory", | ||
| "path": "/home/user/everything-claude-code/.claude/.cpd-wrappers/jarrodwatts-claude-hud-project" |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
In Claude project settings (.claude/settings.json), does extraKnownMarketplaces..source.pathsupport relative paths (for example.claude/.cpd-wrappers/...)? If yes, what is the recommended portable format?
💡 Result:
Yes, extraKnownMarketplaces..source.path supports relative paths when source is "directory". Relative paths are resolved from the project root (for project settings in .claude/settings.json). Absolute paths may silently fail, as reported in GitHub issues. The recommended portable format uses ./ prefix for paths relative to the project root, e.g., "path": "./.claude/marketplace". This works across team members cloning the repo, unlike absolute paths. Symlinks can be used for external directories to enable relative paths. Official docs primarily show absolute paths for "directory" sources (e.g., /usr/local/share/claude/acme-plugins) but confirm relative path support via general path prefix rules (./ relative to project root) and GitHub issues demonstrating usage.
Citations:
- 1: https://code.claude.com/docs/en/settings
- 2: extraKnownMarketplaces: absolute paths silently fail for directory source type anthropics/claude-code#26861
- 3: https://code.claude.com/docs/en/plugin-marketplaces
- 4: https://www.market.dev
- 5: https://docs.claude.com/en/docs/claude-code/settings
Use a relative project-root path for marketplace directory.
At Line 6, the absolute path /home/user/everything-claude-code/.claude/.cpd-wrappers/jarrodwatts-claude-hud-project is hardcoded and will fail portably across developers and CI environments. Switch to a relative path prefixed with ./ (e.g., ./.claude/.cpd-wrappers/jarrodwatts-claude-hud-project), which is resolved from the project root. Absolute paths may silently fail in Claude settings.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.claude/settings.json at line 6, Change the hardcoded absolute path value
for the JSON "path" key in settings.json to a project-root relative path (prefix
with ./) so it works across dev/CI environments; specifically replace the
absolute string value that points to the marketplace wrapper (the current
jarrodwatts-claude-hud-project path) with a relative equivalent like
./.claude/.cpd-wrappers/jarrodwatts-claude-hud-project and commit the updated
settings.json.
…)" This reverts commit 0c9b024.
Adds the claude-hud plugin (v0.0.11) at project scope via claudepluginhub. Provides real-time statusline HUD showing context health, tool activity, agent tracking, and todo progress. https://claude.ai/code/session_01Qe1PoFhrpk2mUKwNFMG998 Co-authored-by: Claude <noreply@anthropic.com>
…aan-m#1041)" This reverts commit 0c9b024.
Adds the claude-hud plugin (v0.0.11) at project scope via claudepluginhub. Provides real-time statusline HUD showing context health, tool activity, agent tracking, and todo progress. https://claude.ai/code/session_01Qe1PoFhrpk2mUKwNFMG998 Co-authored-by: Claude <noreply@anthropic.com>
…aan-m#1041)" This reverts commit 8b1a2fd.
What Changed
Added Claude plugin configuration files to enable the
claude-hudplugin from the jarrodwatts/claude-hud repository:.claude/.cpd-wrappers/jarrodwatts-claude-hud-project/marketplace.jsonwith plugin marketplace definition.claude/.cpd-wrappers/jarrodwatts-claude-hud-project/cpd-meta.jsonwith plugin metadata.claude/settings.jsonto register the marketplace and enable the pluginWhy This Change
This change integrates the claude-hud plugin into the project's Claude development environment, allowing the plugin to be available and enabled for use within the project context.
Testing Done
Type of Change
chore:Maintenance/toolingSecurity & Quality Checklist
https://claude.ai/code/session_01Qe1PoFhrpk2mUKwNFMG998
Summary by cubic
Adds project-scoped config to install and enable the
claude-hudplugin via a local marketplace. This makes a real-time statusline HUD available in the Claude dev environment (context health, tool activity, agent tracking, todo progress)..claude/.cpd-wrappers/jarrodwatts-claude-hud-project/.claude-plugin/marketplace.jsonpointing tojarrodwatts/claude-hud..claude/.cpd-wrappers/jarrodwatts-claude-hud-project/cpd-meta.jsonfor project-scoped metadata.claude-hudin.claude/settings.json.Written for commit 5824938. Summary will update on new commits.
Summary by CodeRabbit